User registries: WAS v5.1

User registries

Information about users and groups reside in a user registry. In WAS, a user registry authenticates a user and retrieves information about users and groups to perform security-related functions, including authentication and authorization.
WAS provides several implementations to support multiple types of operating system base user registries. Use the custom LDAP feature to support any LDAP server by setting up the correct configuration (user and group filters). However, support is not extended to these custom LDAP servers because many possibilities exist that cannot be tested.
In addition to Local OS and LDAP registries, WAS also provides a plug-in to support any registry by using the custom registry feature (also referred to as a custom user registry). The custom registry feature supports any user registry that is not implemented by WebSphere Application Server. You can make any registry work in the product environment by implementing an interface called the UserRegistry interface.
The UserRegistry interface is very helpful in situations where the current user and group information exists in some other formats (for example, a database) and cannot move to Local OS or LDAP. In such a case, implement the UserRegistry interface so that WAS can use the existing registry for all of the security-related operations. Implementing a custom registry is a software implementation effort and it is expected that the implementation does not depend on other WAS resources, for example, data sources, for its operation.
Although the product supports different types of user registries, only one user registry can be active. This active registry is shared by all of the product server processes. If the product processes in one node or cell need to communicate with other product processes in other nodes or cells using Lightweight Third Party Authentication (LTPA), it is a requirement that all of the nodes and cells share the same user registry. Because LocalOS registries are restricted to the local machines, it is expected that either LDAP or a custom registry is used when inter-node or inter-cell communication is required. One exception to this restriction is the Windows Domain registry, which can be used as a centralized repository for all of the processes.

See Also
Simple WebSphere authentication mechanism
Custom user registries